Dormant Bitcoin wallets with public keys face quantum risk

Dormant Bitcoin wallets that have public keys visible on the blockchain are more vulnerable to future quantum computers than active addresses. Holders who control their keys can move coins to other formats, but coins in inaccessible or lost wallets cannot be migrated.

Bitcoin uses SHA-256 hashing for mining and ECDSA or Schnorr for transaction signatures. Quantum algorithms affect those parts differently. Grover’s algorithm would reduce the effective security of hash functions by a modest amount, while Shor’s algorithm would let a sufficiently powerful quantum computer derive a private key from a known public key and then sign transactions.

Two attack scenarios frame the risk. On-spend attacks occur when a transaction is broadcast and the public key becomes visible; an attacker would need to recover the private key quickly, roughly within one block interval of about 10 minutes. At-rest attacks target addresses whose public keys are already recorded on-chain; attackers can work without a tight time window and may take days, weeks or longer to compute a private key.

Several address types expose public keys on-chain. Pay-to-Public-Key outputs used in Bitcoin’s early years show public keys directly. Reused addresses reveal a public key after the first spend and leave any remaining balance exposed. Some script types, including certain Taproot outputs, include public keys in ways that would be vulnerable if a quantum computer can invert the underlying public-key math. Many early-block rewards of 50 BTC have not moved for more than a decade and appear in these categories.

Estimates indicate millions of dollars’ worth of BTC sit in addresses with visible public keys, concentrated in a relatively small number of early-era wallets. The combination of high balances, long on-chain exposure and lack of active custodians creates an attractive target profile for attackers who could exploit a future quantum capability.

The prospect of quantum-enabled spending from dormant addresses would raise questions for the network about how to treat those coins. Possible areas of debate include whether protocol-level measures should try to prevent or reverse such spends, how to handle ownership claims when keys are derived by attackers, and how immutability principles apply to long-unmoved funds.

Mitigation steps available now mainly benefit active users. Best practices include avoiding address reuse and minimizing when public keys are revealed on-chain. Work is underway to design migration paths to quantum-resistant signature schemes and to study how post-quantum cryptography could be integrated into protocols without breaking existing properties. Coins in wallets whose private keys are lost or holders are inactive cannot be moved by those measures.

There is no accepted evidence that quantum computers capable of deriving Bitcoin private keys exist today. Development of such machines is expected to take years or possibly decades. Any initial impacts from quantum advances are likely to be selective, affecting addresses with exposed public keys rather than causing an immediate, network-wide failure.